Questions about Unity's Permissions

Unanswered Question
Sep 14th, 2010
User Badges:

Dear NetPro,

I have a customer with a wordwide 2003 exchange/AD environment and strict rules on what applications/users, etc get what permissions at what level... I'm attempting to install Unity 7.0(2) but have hit problems with running the Permissions Wizard and getting the correct permissions/rights granted.

We've been playing question/answer tennis over the Unity Permissions Wizard and the permissions in general, and the customer has asked me the following question:

"...why unity needs access to the global delected objects."

I answered, "It's a hidden container that's used to get triggers when you delete an object in AD - this is used so Unity knows when you delete an AD account and it can use that trigger to then remove their subscriber properties in our SQL database, thus preventing "stranded" subscribers in the DB"

Now they have asked:

It is not clear why the installation needs this level of permissions on the deleted items container in the <company> Global domain.

I can understand it is needed in the Denmark (local) domain, but not in the <company> Global domain

Can someone offer a concise answer?

Yours faithfully,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Aaron Harrison Tue, 09/14/2010 - 00:53
User Badges:
  • Super Bronze, 10000 points or more
  • Community Spotlight Award,

    Member's Choice, May 2015


I have a couple of customers who's PW has failed on the Deleted Objects OU. They are running without any adverse effects noted (for years).



anmcbrid Tue, 09/14/2010 - 06:13
User Badges:
  • Cisco Employee,

It's not that uncommon for permission wizard to fail on deleted objects container.  Not a cause for concern.  Safe to ignore.

sopayne Tue, 09/14/2010 - 14:32
User Badges:
  • Cisco Employee,

I found this in an old engineering document and think it sheds a bit more light as to why the permission is set by Permissions Wizard:

"The AvDsAd.EXE and AvDsGlobalCatalog.EXE service require the ability to poll for USNChanged and IsDeleted attributes in Active Directory. This polling process is used to synchronize the Unity database with Active Directory. Tracking deleted objects is necessary to allow Unity to maintain an accurate subscriber database.

These services search specific attributes for each of the above objects. Unity tracks User, Group, Contact and the Unity location objects in Active Directory for deletion. It does this by filtering for USNChanged, IsDeleted and a Unity attribute; CiscoECSBUObjectType. Unity won’t search for non-Unity subscribers, groups or contacts, but it will check these objects to see if they are Unity objects. "


This Discussion